Our reliance upon technology is nothing new, but in recent years our use of technology seems to be escalating in all aspects of life. For many, simply driving without GPS or going a day without accessing the internet is unbearable. Ideally, the use of technology improves our quality of life in some fashion. Oftentimes, it allows us to operate in a more efficient and effective manner. It should come as no surprise then that the government has increasingly turned to technology to assist with investigations, especially those conducted on the Internet. In some cases, investigations previously conducted by law enforcement officers have been automated. In these instances, the software itself conducts the investigation and simply reports its findings to the officer.
Investigations of Peer-to-Peer (P2P) Networks
A prime example of law enforcement’s increased reliance upon technology is the utilization of software that purportedly investigates computers that access peer-to-peer (P2P) networks. The F.B.I. website explains the operation of P2P networks as follows:
Peer-to-Peer networks allow users connected to the Internet to link their computers with other computers around the world. These networks are established for the purpose of sharing files. Typically, users of Peer-to-Peer networks install free software on their computers which allows them (1) to find and download files located on another Peer-to-Peer user's hard drive, and (2) to share with those other users files located on their own computer. Unfortunately sometimes these information-sharing systems have been used to engage in illegal activity. http://www.fbi.gov/scams-safety/peertopeer - Risks of Peer-to-Peer Systems – accessed, February 9, 2011.
The F.B.I. website notes that the most common crimes associated with P2P networks include Copyright Infringement, Child Exploitation, Obscenity, and Computer Hacking. Id. With regard to investigations on P2P networks, law enforcement officers traditionally manually accessed the P2P networks, by way of publicly available software, and searched the shared folders of other users on the P2P network for items that constitute contraband. In other words, law enforcement would search out contraband that was purportedly in “plain-view” and being offered for download by a user of the P2P network. Once the officer located contraband, it could then be downloaded and preserved as evidence. Further, the investigator could identify the Internet Protocol (IP) address of the computer offering the contraband. Finally, the investigator would identify the digital signature of the file itself. This digital signature is commonly referred to as the file’s SHA-1 value. SHA-1 or Secure Hash Algorithm Version 1, is often described within law enforcement affidavits as a file encryption method that can be used to produce a unique digital signature for an individual file, regardless of the name a user may choose for a file. In essence, it enables the P2P software to identify files in order to facilitate the transfer of files over the network.
Law enforcement relies upon the SHA-1 values in order to identify files that have been previously confirmed to constitute contraband. For instance, a digital image that depicts child sexual exploitation could theoretically be identified by its SHA-1 value, regardless of the file name a user might assign to the digital image and regardless of whether the officer actually downloaded or viewed the image. A comparison between the SHA-1 value of known contraband to the SHA-1 value of the file being offered by a network user can lead an investigator to conclude that contraband is being offered by the particular user.
Once the investigator identifies the suspected contraband, either by downloading and viewing it, or by comparing the SHA-1 value of the digital file to known contraband values, the officer can then observe the IP address of the computer that offered the contraband for download. Thereafter, the internet service provider (ISP) associated with that particular IP address is issued a Subpoena for the identification and address of the subscriber for that particular IP address. With these results, the investigator can apply for a search warrant to enter and search the residence associated with the IP address that was offering contraband.
Peer Spectre Software
In 2008, a software application known as “Peer Spectre” was released and has been utilized by law enforcement agencies throughout the United States and the world. According to government affidavits, Peer Spectre is an automated system that reads the publicly available advertisements from computers that are identifying contraband available for distribution in a consistent and reliable manner. Further, law enforcement claims that the software reports the time, date, SHA-1 value and file name in the same way every time. In essence, it is claimed that Peer Spectre automates the search process, but conducts and reports the investigation in the same manner that had previously been done by individual investigators. Finally, law enforcement claims that the software does not search beyond the file folders that are exposed to the other network users and limits its search to the files that are located in plain-view.
When the government utilizes software to conduct searches over the internet, without a warrant, it is important to consider whether those searches are, in fact, limited to files that are in plain-view. The government bears the burden of proving an exception to the search warrant requirement. State v. Mays, 161 Ohio App,3d 175 (8th Dist. 2005). Where there is no search warrant, the burden falls on the State to show that a search comes within one of the judicially recognized exceptions, including but not limited to, the plain-view doctrine. State v. Akron Airport Post No. 8975, 19 Ohio St.3d 49 (Ohio 1985).
Under the plain-view exception, three (3) requirements must be satisfied: the officer’s intrusion into the location where the evidence is located must be lawful, the discovery of the evidence must be inadvertent, and the incriminating nature of the evidence must be immediately apparent. Texas v. Brown, 460 U.S. 730, 739 (1983). When the government relies upon software to conduct warrantless investigations on the internet, but does not have access to the source code and is thereby unable to authenticate the function of the software application, it is difficult to imagine how the government could meet its burden of proving that the software limited its search to files that are in plain-view. Further, there are no independent studies available, nor have any defense experts been granted access to the software for testing of the source code for analysis. Finally, the reliability of the software cannot be readily determined without the source code and without testing.
Defense Strategies and Considerations
When confronted with a new software application that is utilized in an investigation, it may be useful to explore the following questions:
- Who developed the software and what are the developer’s qualifications?
- Who owns the software?
- Does the government have access to the source code?
- Can a defense expert conduct an independent analysis of the software?
- What training have the investigators received with regard to the software?
- Are there any independent or peer review studies on the software?
- Is the software reliable? If so, how was that conclusion reached?
- Who can authenticate the functionality and reliability of the software?
- Are there any guides or manuals for the software and can they be obtained?
- What does the software really do and how do we know?
Technology is advancing at an ever-increasing pace. There is no reason to expect that the government will not continue to adopt new technology and software for use by law enforcement. Those who take up the defense of citizens charged with crimes must remain vigilant in exploring all aspects the government’s investigation, including a thorough review of the technology and software employed.